Hi,

For Puppet[1] Nginx deployement (that is using Nginx as a front-end load-balancers to puppetmasters[2]), I had to create the following two patches, to match Apache behaviour:

* The first patch allows: + a new variant of ssl_client_verify: optional. In this mode, if the client sends a certificate it is verified, but if the client doesn't send a certificate, the connection is authorized too.

+ a new variable: $ssl_client_verify which contains, either NONE, SUCCESS or FAILURE depending on the verification status. It can be used to send information to the upstream about the client verification.

* The second patch adds CRL support to the client certificate verification:

ssl_crl /path/to/crl.pem;

Nginx then verifies the client certificate hasn't been revoked in the given CRL before allowing the connection to proceed.

For access to the patches, please see my last blog article: http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/

It would be great if those patches could be merged in the official Nginx source tree.

Thanks,

[1]: http://reductivelabs.com/products/puppet/ [2]: http://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx